A certificate is required to connect my SonarQube server. I have installed the SonarLint plugin, but it does not have any option to add certificates to connect my SonarQube server. It has only URL, username , password options. Is there any way to set certificates ?
SonarLint does not permit the configuration of certificates, but you can add certificate to JRE or JDK.
https://docs.oracle.com/javase/tutorial/security/toolsign/rstep2.html
Copied text from the Oracle documentation:
Import the Certificate as a Trusted Certificate
Before you can grant the signed code permission to read a specified file, you need to import Susan's certificate as a trusted certificate in your keystore.
Suppose that you have received from Susan
the signed JAR file sCount.jar, which contains the Count.class file, and
the file Example.cer, which contains the public key certificate for the public key corresponding to the private key used to sign the JAR file.
Even though you created these files and they haven't actually been transported anywhere, you can simulate being someone other than the creater and sender, Susan. Pretend that you are now Ray. Acting as Ray, you will create a keystore named exampleraystore and will use it to import the certificate into an entry with an alias of susan.
A keystore is created whenever you use a keytool command specifying a keystore that doesn't yet exist. Thus we can create the exampleraystore and import the certificate via a single keytool command. Do the following in your command window.
Go to the directory containing the public key certificate file Example.cer. (You should actually already be there, since this lesson assumes that you stay in a single directory throughout.)
Type the following command on one line: keytool -import -alias susan -file Example.cer -keystore exampleraystore
Since the keystore doesn't yet exist, it will be created, and you will be prompted for a keystore password; type whatever password you want.
The keytool command will print out the certificate information and ask you to verify it, for example, by comparing the displayed certificate fingerprints with those obtained from another (trusted) source of information. (Each fingerprint is a relatively short number that uniquely and reliably identifies the certificate.) For example, in the real world you might call up Susan and ask her what the fingerprints should be. She can get the fingerprints of the Example.cer file she created by executing the command
keytool -printcert -file Example.cer
If the fingerprints she sees are the same as the ones reported to you by keytool, the certificate has not been modified in transit. In that case you let keytool proceed with placing a trusted certificate entry in the keystore. The entry contains the public key certificate data from the file Example.cer and is assigned the alias susan.
Related
Toolkit to generate keystore and truststore with "-c 'hhh'",but the CN is 'localhost'?Can u get me suggestion?Thanks in advance!
-c,--certificateAuthorityHostname Hostname of NiFi Certificate Authority (default: localhost)
If you're running the TLS Toolkit in standalone mode, and this is not the first invocation, you likely already have a nifi-cert.pem and nifi-key.key file in the working directory. These files are the CA public certificate and private key respectively. They will be reused to continue signing newly generated node certificates because this allows for trust across the different nodes of the cluster (which is the intended use case for the toolkit).
If you want to create a new CA certificate and use that to sign the node certificates, you have a few options:
Copy the toolkit build directory to a new location and invoke it there. Ensure that the nifi-cert.pem and nifi-key.key files are not present. On the first invocation, a new CA certificate and key will be generated, with the specified certificate authority hostname.
Delete the nifi-cert.pem and nifi-key.key files from your existing toolkit build directory. Warning: You will no longer be able to sign certificates with the same CA key. For example, if you generated node1 and node2 certificates signed by CA_1, then delete CA_1 and want to add node3, you will not be able to sign node3 with CA_1. You will have to import multiple public CA certificates (CA_1 and the new CA_2, for example) into each node's truststore to allow for cross-trust.
Try to add -D in your command, to specify the CN and so on:
sudo bash tls-toolkit.sh client -c #YOUR_CA_HOST_FQDN -t #YOUR_CA_KEY_IF_ANY -p #CA_SERVER_PORT_IF_ANY -D "CN=#WHAT_EVER_YOU_WANT, OU=NIFI" -T PKCS12
I experienced the same problem here, my solution was to remove de target file, as suggested in previous post, and run the script with an additional param, in your case it should be something like this
tls-toolkit.sh standalone .... --certificateAuthorityHostname hhh
It worked for me
Could you please help me to use JFrog Artifactory certificates feature. (Admin -> Certificates).
I want to add certificate for a maven repository (https://plugins.jenkins.io/repository)
Below are the steps I followed –
Step1: Downloaded the certificate (DER encoded binary X.509) for this repository from chrome browser.
Step2: Converted certificate extension from .cer to .pem. Directly converted extension from .cer to .pem and tried with open ssl also openssl x509 -inform der -in certificate.cer -out certificate.pem
Step3: Add new certificate via (Admin -> Certificates -> New -> Drag and dropped .pem file), Entered Certificate Alias name.
After clicking on Save, I am getting below error –
Certificate could not be added. Unable to read the provided PEM file. Missing private key or certificate.
Other important information –
When I researched more on this error, I found jfrog is expecting certificate and private key both in .pem file. When I am downloading certificate from chrome I am getting only certificate but not private key.
https://jfrog.com/knowledge-base/how-to-resolve-the-certificate-could-not-be-added-unable-to-read-the-provided-pem-file-missing-key-or-certificate/
I have tried the above steps with Base-64 encoded X.509 certificate also but results are same.
What you are doing is adding client certificate.
Meaning that when Artifactory will access a remote repository, it will secure the connection using client certificate.
If your problem is that Artifactory does not trust the certificate exposed by the remote repo (https://plugins.jenkins.io/repository) then you need to follow the directions here:
https://www.jfrog.com/confluence/display/RTF/Using+a+Self-Signed+Certificate
More explanations about the differences:
https://www.websecurity.symantec.com/security-topics/client-certificates-vs-server-certificates
Please elaborate a little bit more about the original problem you had, so we could understand if you are picking the right solution.
Good luck.
Your certificate probably came from a CSR (certificate request)?
You should have a private key within that CSR request file. Simply paste the output CER text (enclosed by ----- BEGIN CERTIFICATE ... -----END CERTIFICATE) - ie your issued certificate, a blank line, then the similar ---- BEGIN PRIVATE KEY ... ---- END PRIVATE KEY section from the CSR into a simple file called < whatever >.PEM and put that into jfrog. I told Jfrog just yesterday that this part is not clear, and could be expressed more simply in their wiki. What its complaining about is the lack of a PRIVATE KEY entry in the PEM. It took me a while to realise this, and where to get it from.
I have a p12 file, 'test.p12,' that has a certificate, the CA cert (self-signed), and private key for the certificate. The p12 file is generated using the BouncyCastle's C# API.
When trying to import the certificate by using 'CertUtil', i.e., 'CertUtil -f -p password -importpfx test.p12,' CertUtil generates the following error:
CertUtil: -importPFX command FAILED: 0x80090016 (-2146893802 NTE_BAD_KEYSET)
CertUtil: Keyset does not exist
Any clues as to what may be wrong? (I'm using Windows 10)
Using openssl, I can see that 'test.p12' does include the certificate, CA cert, and private key. The certificate is using an EC keypair, but I doubt that's a problem since I have a reference p12 file that uses the same algorithm and is imported by CertUtil without problem. Unfortunately, I have no detail on how the reference file is generated.
In my google searches, many seem to suggest that this may be a permission problem, but I doubt that's the case as I'm running the CertUtil as the Administrator.
When importing the same file using 'MMC' with the certificate snap-ins, the certificate is "successfully" imported if I force the MMC to store it in a specific store, e.g., Personal; otherwise, it prompts to select a Smart Card for the certificate. Could this be a related problem?
Thanks,
--Hyong
I'm trying to sign a jar file using a code signing certificate. The alias name includes some special characters (Turkish characters). The alias name is similar to the following:
bi?li?şi?m teknoloji?leri? eği?ti?m's comodo ca limited id
When I try to sign a jar file, the following error occurres:
Certificate chain not found for: bi?li?şi?m teknoloji?leri? eği?ti?m's
comodo ca limited id. bi?li?şi?m teknoloji?leri? eği?ti?m's comodo ca
limited id must reference a valid KeyStore key entry containing a
private key and corresponding public key certificate chain.
I tried to change the alias name by using keytool (jdk) utility, but again, since the alias name was not found, I couldn't succeed.
When I looked at the details by keytool and I see the entry type is "PrivateKeyEntry", so I don't think this error is about a missing private key.
The problem seems related to unrecognized character issue.
How can I solve this problem and proceed to signing my jar file?
The support team from the certificate company responded to my email. They wanted to renew the certificate without using Turkish characters in the company name. As I guessed, the problem was related to unrecognized characters.
We've recently set up a Jenkins CI server on Windows. Now in order to use Active Directory authentication I'd like to require https (SSL/TLS) for access. Given this setup, what is the recommended way to do this?
Go to your %JENKINS_HOME% and modify the jenkins.xml. Where you see --httpPort=8080 change it to --httpPort=-1 --httpsPort=8080 you can make the ports anything you want of course, but in my testing (a while ago, it may have changed) if you don't keep --httpPort=<something> then Jenkins will always use 8080. So if you simply change --httpPort=8080 to --httpsPort=8080, port 8080 will still use http.
Also, if you want to use your own certificate, there are some instructions at the bottom of this page.
http://wiki.jenkins-ci.org/display/JENKINS/Starting+and+Accessing+Jenkins
Run:
keytool -genkey -keyalg RSA -keystore Jenkins.jks -alias [Name of website] -keysize 2048
Answer the questions remembering that First and last name is the website URL and should be lowercase. Example:
build.jenkins-ci.org
State or province cannot be abbreviated.
Run:
keytool -certreq -Keystore jenkins.jks -alias [Name of website] -file jenkins.csr -keysize 2048
Send Jenkins.csr to your cert provider and request a PKCS#7 cert which has a .p7b extension and starts with:
-----BEGIN PKCS #7 SIGNED DATA-----
Note: Trial certs are not normally available in .p7b format but you may be able to combine the .cer files using this tool which reported success but didn't work for me. (https://www.sslshopper.com/ssl-converter.html)
Run:
keytool -import -trustcacerts -file jenkins.p7b -keystore jenkins.jks -alias [Name of website]
Change the arguments node in Jenkins.xml to the following prespectivly.
<arguments>-Xrs -Xmx256m -Dhudson.lifecycle=hudson.lifecycle.WindowsServiceLifecycle -jar "%BASE%\jenkins.war" --httpPort=-1 --httpsPort=443 --httpsKeyStore="%BASE%\Cert\Jenkins.jks" --httpsKeyStorePassword=[Cert password from step 1]</arguments>
Troubleshooting:
If Jenkins doesn't start read the last lines from Jenkins.err.log.
If Jenkins didn't start because of an issue with Jenkins.xml, replace the – (weird Windows hyphen) characters with an actual - (ASCII hyphen).
If Jenkins starts but the cert still reads as bad, make sure the [Name of website] is the actual URL without the https: example: https://build.jenkins-ci.org would be build.jenkins-ci.org.
If that isn't the issue inspect the .jks file using KeyStore Explorer. The "Certificate Hierarchy" should show that each cert is nested in another; This is to illustrate the cert chain. If it shows the certs next to each other then it's not correct.
If it won't start on a specific port, 443 for example, then verify IIS or another app isn't currently using the port.
If you can see the site on the PC it's hosted on, but not another PC, then verify you aren't getting blocked by a firewall.
Step1: Create both public and private Certificate on your jenkin name (convert them into keysore file if its not)
Step2: Import the public certificate into your browser certificate mananger (import into all tabs)
Step3: Host your jenkin using JKS file which contain both public and private key.
For steps refer "Enable HTTPS in jenkins?"